Thanks for using Office 365. We are delighted to present our new service associated with HM Revenue & Customs. To continue processing your tax refund please configure your bank account.

It's easy to configure your bank account:

1 –

Sign in to your account.1 –

Configure your bank account.1 –

You are eligible to receive a tax refund of £537.25 GBP

Thanks for subscribing to Office 365. We hope to continue serving you. –

– Helpful resources

How to reactivate your Office 365 subscriptionAlready renewed? Verify your subscription hereWhat happens to my data and access when my subscription expires?Get help and support for Office 365 ––

This is a mandatory service communication. To set your contact preferences for other communications, visit the Promotional Communications Manager.

This message was sent from an unmonitored e-mail address. Please do not reply to this message.Privacy | Legal ––

Microsoft OfficeOne Microsoft Way

The link in the email leads to updatemicrosoftonline.com on 89.248.168.13 (Quasi Networks LTD, Seychelles). Despite the email and the domain name it leads to an HMRC-themed phishing page..

This multi-phish page has twelve UK banks set up on it:

Barclays

Halifax

HSBC

Lloyds Bank

NatWest

Royal Bank of Scotland

Santander

TSB

Metro Bank

Clydesdale Bank

The Co-Operative Bank

Tesco Bank

Clicking on any of the links goes to a pretty convincing looking phish page, personalised for each bank and carefully extracting all the information they need for account theft. The screenshots below are the sequence if you choose TSB bank.

Once you have entered all the information, the process appears to fail and you are directed to a genuine HMRC site instead.

A list of sites found in 89.248.168.0/24 can be found here [pastebin]. I suggest that the entire network range looks questionable and should be blocked.

The application with reference number 5CSS 1QDX 27KH LRFM submitted by you or your agent to register for HM Revenue & Customs (HMRC) has been received and will now be verified. HMRC will contact you if further information is needed.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Attached is a file 2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc with a VirusTotal detection rate of 7/55 which if opened (not advised) pretends to be an encrypted document that requires Active Content to be enabled.

The application with reference number L4TI 2A0A UWSV WASP submitted by you or youragent to register for HM Revenue & Customs (HMRC) taxes has been received and willnow be verified. HMRC will contact you if further information is needed.

The original of this email was scanned for viruses by the Government Secure Intranetvirus scanning service supplied by Vodafone in partnership with Symantec. (CCTM CertificateNumber 2009/09/0052.) On leaving the GSi this email was certified virus free.

If you have the correct browser agent (e.g. Internet Explorer 8 on Windows) you will see a "Your document will download shortly.." notice. If you have something else, a fake 404 page will be generated.

The page then forwards to the real HMRC login page but attempts to dump a malicious ZIP from another source at the same time.

In this case, the ZIP file was Document_HM901417.zip which contains a malicious executable Document_HM901417.exe. This has a VirusTotal detection rate of 3/55 (identified as the Upatre downloader).

Automated analysis [1][2][3] shows attempted traffic to 93.185.4.90 (C2NET, Czech Republic) and a dropped executable with a random name and an MD5 of ba841ac5f7500b6ea59fcbbfd4d8da32 with a detection rate of 2/55.

Please note this may show on your account as a payment reference of FPABHKZCNZ.

Kind RegardsVaughn BakerSenior Accountant

----------

From: HMRCDate: 11 March 2015 at 10:04Subject: Your Tax rebate

Dear [redacted],

After the last yearly computations of your financial functioning we have defined that you have the right to obtain a tax rebate of 934.80. Please confirm the tax rebate claim and permit us have 6-9 days so that we execute it. A rebate can be postponed for a variety of reasons. For instance confirming unfounded data or applying not in time.

To access the form for your tax rebate, view the report attached. Document Reference: (196XQBK).

HMRC: 196XQBK.xls, 89WDZ.xlsBACS: LSDB.xls, Rem_8392TN.xml (note that this is actually an Excel document, not an XML file)

All of these documents have low detection rates [1][2][3][4] and contain these very similar malicious macros (containing sandbox detection algorithms) [1][2][3][4] which when decrypted attempt to run the following Powershell commands:

HMRC taxes application with reference LZV9 0Q3E W5SD N3GV received

The application with reference number LZV9 0Q3E W5SD N3GV submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 0346* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

In this case the link in the email goes to ecanovas.com/boceto/hmrc.exe which the user is expected to download and run. It has a VirusTotal detection rate of 3/51. Automated analysis tools are pretty inconclusive [1][2][3] but do reveal some of the behavioural activity.

Attached is a file P6_rep_34320-289.zip which unZips to a folder called P6_rep(9432)_84632_732.doc which contains a malicious executable P6_rep(9432)_84632_732.doc.scr which has a VirusTotal detection rate of 4/53.

The CAMAS report shows that a second component is downloaded from 37.139.47.167/bt/2.exe which in turn has a VirusTotal detection rate of 5/52.

The IP address of 37.139.47.167 is in the same /24 as the two other IPs mentioned here. I would very strongly recommend blocking traffic to at least 37.139.47.0/24 or the whole 37.139.40.0/21 range (although there do seem to be some legitimate Russian-language sites in there). The IP belongs to:

Thank you for sending your VAT Return online. The submission for reference 0781569 wassuccessfully received on Fri, 9 May 2014 12:47:49 +0530 and is being processed. Make VATReturns is just one of the many online services we offer that can save you time andpaperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranetvirus scanning service supplied by Cable&Wireless Worldwide in partnership withMessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email wascertified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded forlegal purposes.

It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52.

This is part one of the infection chain. Automated analysis [1][2][3] shows that components are then downloaded from the following locations:

The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52. Automated analysis [1][2] shows that this makes a connection to a server at 94.23.32.170 (OVH, France).

The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52. Analysis of this shows [1][2] that it attempts to connect to several different email services, presumably to send out spam.

1.This e-mail and any files or documents transmitted with it are confidential and intended solely for the use of the intended recipient. Unauthorised use, disclosure or copying is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify the sender at the above address and then delete the e-mail from your system. 2. If you suspect that this e-mail may have been intercepted or amended, please notify the sender. 3. Any opinions expressed in this e-mail are those of the individual sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that this e-mail and any attachments have been created in the knowledge that internet e-mail is not a 100% secure communications medium. It is your responsibility to ensure that they are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson for any loss or damage arising from the receipt of this e-mail or its contents. QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees, TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the Solicitors Regulation Authority (57864). A full list of Partners names is available from any of our offices. For further details, please visit our website http://www.qualitysolicitors.com/punchrobson

The attachment is called HMRC_TAX_Notice_rep.zip which in turn contains a malicious exectuable HMRC_TAX_Notice_rep.scr which has a VirusTotal detection rate of 5/51.

According to the Malwr report, the malware makes a download from the following locations hosted on 67.205.16.21 (New Dream Network, US):[donotclick]sandsca.com.au/directions/2503UKp.tis[donotclick]www.sandsca.com.au/directions/2503UKp.tis

Subsequent communications are made with aulbbiwslxpvvphxnjij.biz on the familiar looking Linode IP of 50.116.4.71, and also qkdapcqinizsczxrwaelaimznfbqq.biz on another Linode IP of 178.79.178.243. An attempt it also made to connect to hzdmjjneyeuxkpzkrunrgyqgcukf.org which does not resolve.

One odd thing in the Anubis report is this dialog box entititled "seconddial" and containing the word "diminutiveness".

Thank you for sending your VAT Return online. The submission for reference 3608005 was
successfully received on Thu, 6 Feb 2014 20:32:34 +0100 and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.

I love the "certified virus-free" bit, because of course this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50.

Tuesday, 12 November 2013

This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors.com:

1.This e-mail and any files or documents transmitted with it are confidential andintended solely for the use of the intended recipient. Unauthorised use, disclosure orcopying is strictly prohibited and may be unlawful. If you have received this e-mail inerror, please notify the sender at the above address and then delete the e-mail from yoursystem. 2. If you suspect that this e-mail may have been intercepted or amended, pleasenotify the sender. 3. Any opinions expressed in this e-mail are those of the individualsender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note thatthis e-mail and any attachments have been created in the knowledge that internet e-mailis not a 100% secure communications medium. It is your responsibility to ensure that theyare actually virus free. No responsibility is accepted by QualitySolicitors Punch Robsonfor any loss or damage arising from the receipt of this e-mail or its contents.QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NUTelephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, MiddlesbroughTS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by theSolicitors Regulation Authority (57864). A full list of Partners names is available fromany of our offices. For further details, please visit our websitehttp://www.qualitysolicitors.com/punchrobson

Perhaps the spammers were as irritated by the overblown mail footer as I was. Anyway, there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47.

Automated analysis tools [1][2] show that it attempts to communicate with alibra.co.uk on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:

a1.exe has a detection rate of 16/47, and Malwr reports further HTTP connections to:[donotclick]59.106.185.23/forum/viewtopic.php[donotclick]new.data.valinformatique.net/5GmVjT.exe[donotclick]hargobindtravels.com/38emc.exe[donotclick]bonway-onza.com/d9c9.exe[donotclick]friseur-freisinger.at/t5krH.exe

dot.exe has a much lower detection rate of 6/47, ThreatExpert, ThreatTrack [pdf] and Malwr report various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.

a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus.

Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack. VirusTotal results are just 1/46, so either this is something completely new or it is a corrupt sample.

UPDATE:ThreatTrack reports that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.24276.245.44.21686.124.111.21892.241.139.165122.179.128.38189.223.139.172190.42.161.35

The emails actually come from refund1-hmrc.com, refund2-hmrc.com, refund3-hmrc.com and refund4-hmrc.com so

If you click through the link then you get a pretty standard phishing page trying to get credit card details, personal information and passwords.

The HMRC don't send tax refund messages by email, so any such notification should be considered bogus.

The phishing sites are hosted on 211.154.91.246 in China, blocking that IP would be a good idea, but you could go further and block 211.154.64.0/19 as it looks like a cable modem range and there shouldn't really be any legitimate sites hosted here.

Tuesday, 12 July 2011

This is a rather new phishing site, pretending to be a tax refund from the UK's HMRC agency pointing to the domain confirm-hmrc.com (subdomains www.confirm-hmrc.com and onlineservice.confirm-hmrc.com).

Although the phish looks convincing, the HMRC don't do tax refunds in this way. Usually they will just transfer the money to your bank account or alternatively send you a cheque. Furthermore, in my experience the HMRC only communicate by post and not electronic mail.

The site hosted on 218.108.75.53 in China. The same server also has the fraudulent domains account-update-westernunion.com, account-westernunion.com and accounts-westernunion.com. The domain registration details are fake:

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs. Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I'm writing to confirm that after the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 327.54 GBP

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

If you have any questions, please refer to our Frequently Asked Questions (FAQs) or visit our head office address can be found on our web site at http://www.hmrc.co.uk/

The contents of this email and any attachments are confidential and as applicable, copyright in these is reserved to HM Revenue & Customs.

Unless expressly authorised by us, any further dissemination or distribution of this email or its attachments is prohibited.

If you are not the intended recipient of this email, please reply to inform us that you have received this email in error and then delete it without retaining any copy.

I am sending this email to announce: After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 344.79

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

Our head office address can be found on our web site at http://www.hmrc.co.uk/

Sincerely,

NEIL ROBINSON

HMRC Tax Credit Officer

officer.robinson@hmrc.co.uk

Preston

PR1 0SB

There's an attachment in both cases that attempt to harvest personal details (basically everything you need for identity theft) and sends it off to the attacker. In this case, domains used are jub23bi.biz and xgen99.biz although there are probably others. Scanning your outbound log files for /luk.php or /luk1.php or .biz/luk might reveal anyone who has fallen for it.

Obviously, if you've entered you details into something like this then you need to contact your bank as soon as possible and explain that your account has been compromised.